More than 1 Million WordPress Websites Imperiled by Critical Plugin Bug

More than one million websites that run on the WordPress content management application run the risk on being completely hijacked by attackers exploiting critical vulnerability in most versions of a plugin called WP-Slimstat.

“WordPress has always done a very poor job of scanning plugins that the community creates and uploads. A malicious actor can create a very interesting and useful plugin that the community users might be interested in using on their WordPress site. These malicious actors will load backdoors that they can then use to compromise a users WordPress environment collecting visitor data to those sites. They also have the capability of using the wordpress site maliciously through vulnerable legitimate plugins. There have been several plugins that are still available on the WordPress community site that are no longer supported by the developers who created them. An example of this is probably the very vulnerable plugin called Tim Thumb. It was developed by a Developer called Gillbanks. He wrote Gillbanks wrote on his Binary Moon website that he no longer maintains TimThumb outside of attending to an infrequent security issue such as this one. The PHP-based image re-sizing software, which suffered a previous zero-day in 2011, is all but obsolete because WordPress supports post thumbnails.“I haven’t used TimThumb in a WordPress theme since before the previous TimThumb security exploit in 2011,” he said.

WordPress’ popularity as a content management system (44 percent of CMS market share) is matched in parallel by the number of security vulnerabilities afflicting the open source platform. Researcher Ryan Dewhurst just released his WPScan vulnerability database to compliment the WPScan tool he wrote back in 2011, WPScan Vulnerability Database, a one-stop shop for the latest WordPress, plug-in and theme vulnerabilities.”

The vulnerability is embarrassing and atavistic. Unsalted hashes and SQL injections are basic security concepts that even novice developers are aware of. The LAMP stack that runs most WordPress sites is so prevalent and mature that it is routinely and easily hardened to enterprise standards. For a poorly written plug-in to create such an vulnerability is incredibly frustrating to WordPress administrators.

Whenever a product (like WordPress) encourages the creation of an ecosystem of plugins, they have to make a business decision on how restrictive or open they want the platform to be. The comparison of the iOS iTunes policy and the Google Play store policy represent archetypical positions. Apple institutes strict review of all apps submitted for inclusion in the store, whereas Google has very few limitations on what can be submitted. Consequently, iTunes rarely has vulnerable or malicious apps while Google Play store has a significant percentage of bad apps – and this open policy allowed Google Play store to overtake iTunes in quantity of apps back in 2013.

When malware or other bad apps are found in Google Play store, few people blame Google because Google doesn’t claim to be a gatekeeper. WordPress for some reason doesn’t get this same treatment, despite the fact that their documented plugin review does not include any inspection for vulnerabilities.

To mitigate risk, WordPress admins must carefully consider every plugin they add to their deployment and stay vigilant about updates. Likewise, users should always be careful about how much information they submit to any site, especially WordPress sites. Password management tools like LastPass will mitigate any damage that leaked passwords would cause, and any other information volunteered to the site should be considered semi-public. Even without vulnerabilities like this, users should not blindly trust the admins running the site itself.